Exploit.Siggen3.14399

Technical Information

To ensure autorun and distribution

Sets the following service settings

[<HKLM>\System\CurrentControlSet\Services\MsRkNrL] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\MsRkNrL] 'ImagePath' = '<SYSTEM32>\wscript.exe //B "C:\autoexec.vbs"'

Creates the following services

'MsRkNrL' <SYSTEM32>\wscript.exe //B "C:\autoexec.vbs"

Malicious functions

Creates and executes the following (exploit)

'<SYSTEM32>\wscript.exe' //B "%TEMP%\rknrl.vbs"

Modifies file system

Creates the following files

%TEMP%\dm6331.tmp
%WINDIR%\temp\rad74518.tmp
%WINDIR%\temp\rad08986.tmp
%WINDIR%\temp\rad6a1d8.tmp
%WINDIR%\temp\rad8f074.tmp
%WINDIR%\temp\rad4bb0a.tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\rknrl[1].vbs
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\rknrl[1].vbs
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\playback[1].php
%TEMP%\rad4438e.tmp
%TEMP%\rada3a1c.tmp
%TEMP%\rad99f0d.tmp
%TEMP%\radfcb8b.tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\0o42hqll\dm6331[1].tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\url[2].htm
%TEMP%\rad96779.tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\0o42hqll\rknrl[1].vbs
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\0o42hqll\playback[1].php
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\dm6331[1].tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\rknrl[1].vbs
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\url[1].htm
%WINDIR%\temp\rad2d8e3.tmp
%WINDIR%\temp\rad17352.tmp
%WINDIR%\temp\rad3985f.tmp
%WINDIR%\temp\radab09f.tmp
%WINDIR%\temp\radb5e10.tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\api[2]
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\playback[1].php
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\dm6331[1].tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\dm6331[2].tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\playback[1].php
%WINDIR%\temp\rad04d64.tmp
%WINDIR%\temp\rad526f7.tmp
%TEMP%\winstart.vbs
%WINDIR%\temp\dm6331.tmp
%WINDIR%\temp\winstart.vbs
%WINDIR%\temp\rknrl.vbs
%TEMP%\radad4a1.tmp
%TEMP%\rade57d4.tmp
%TEMP%\radbca54.tmp
%TEMP%\rad9e6b1.tmp
%TEMP%\radcdb80.tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\api[1]
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\api[1]
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\url[1].htm
%WINDIR%\temp\rad115d7.tmp
%TEMP%\rknrl.vbs
%WINDIR%\temp\rad72235.tmp
%WINDIR%\temp\rad7fa43.tmp
%WINDIR%\temp\radfc2c4.tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\api[2]
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\api[1]
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\url[1].htm
%WINDIR%\temp\rad53ce8.tmp
%WINDIR%\temp\rad87763.tmp
%WINDIR%\temp\rad3a246.tmp
%WINDIR%\temp\rad43832.tmp
%WINDIR%\temp\radc28d7.tmp
%WINDIR%\temp\rad9fc25.tmp
%WINDIR%\temp\radbf794.tmp
%WINDIR%\temp\radb8f66.tmp
%WINDIR%\temp\radea498.tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\rknrl[2].vbs
%TEMP%\chrome.exe

Sets the 'hidden' attribute to the following files

C:\autoexec.vbs
C:\dm6331.tmp

Deletes the following files

%TEMP%\dm6332.tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\api[2]
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\rknrl[2].vbs
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\dm6331[1].tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\0o42hqll\playback[1].php
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\url[2].htm
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\rknrl[1].vbs
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\dm6331[2].tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\0o42hqll\rknrl[1].vbs
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\rknrl[1].vbs
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\dm6331[1].tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\0o42hqll\dm6331[1].tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\playback[1].php
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\playback[1].php
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\rknrl[1].vbs
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\api[1]
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\url[1].htm
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\url[1].htm
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\api[2]
%WINDIR%\temp\dm6332.tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\api[1]
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\api[1]
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\url[1].htm
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\playback[1].php

Moves the following files

from %TEMP%\radad4a1.tmp to %TEMP%\dm6332.tmp
from %WINDIR%\temp\rad115d7.tmp to %WINDIR%\temp\dm6332.tmp

Substitutes the following files

%TEMP%\dm6332.tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\api[1]
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\api[1]
%WINDIR%\temp\dm6332.tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\url[1].htm
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\api[1]
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\playback[1].php
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\rknrl[1].vbs
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\0o42hqll\rknrl[1].vbs
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\0o42hqll\dm6331[1].tmp

Network activity

Connects to

'ap#.##herscan.io':80
'ai########ill.aigoingtokill.club':80
'm.#####ngtokill.club':80

TCP

HTTP GET requests

http://ap#.##herscan.io/api?mo#############################################################################
http://ai########ill.aigoingtokill.club/ctrl/playback.php
http://ai########ill.aigoingtokill.club/ctrl/file/DM6331.TMP
http://ai########ill.aigoingtokill.club/ctrl/file/rknrl.vbs
http://ai########ill.aigoingtokill.club/ctrl/url.html

UDP

DNS ASK ap#.##herscan.io
DNS ASK ai########ill.aigoingtokill.club
DNS ASK m.#####ngtokill.club

Miscellaneous

Creates and executes the following

'<SYSTEM32>\wscript.exe' //B "%TEMP%\winstart.vbs"
'<SYSTEM32>\wscript.exe' //B "%WINDIR%\TEMP\rknrl.vbs"
'<SYSTEM32>\wscript.exe' //B "%WINDIR%\TEMP\winstart.vbs"
'<SYSTEM32>\wscript.exe' //B "%TEMP%\rknrl.vbs"' (with hidden window)

Tecnologie

Termini

Formazione ed informazione

Falsi miti

Technical Information

Curing recommendations

Free trial